How to Add SMS and OTP Login to WordPress
Most passwordless plugins for WordPress are email-only: enter your address, click the link in your inbox, you're in. That works well — but it assumes everyone has easy inbox access at the moment they want to log in. A lot of your audience doesn't. They're on a phone, the email lands in spam or arrives three minutes late, and they bounce. For those users, a one-time code by SMS is faster and more reliable than any email link.
This guide shows you how to add WordPress SMS login and OTP login with Magic Link — enter a phone number, receive a code, verify, done — and how to do it securely without inviting brute-force attacks or runaway SMS bills.
Why SMS/OTP login beats email for some audiences
Email passwordless login is great as a default. But SMS OTP login wins in specific situations:
- Mobile-first users. People logging in from a phone don't want to switch to an email app, find your message, and tap a link. A code that arrives in the same notification shade they're already looking at is one tap faster.
- Regions where SMS is instant and email isn't. In many markets SMS delivery is near-instant and trusted, while email is slow or routinely filtered into spam. If your link never reaches the inbox, the login never happens.
- Higher-trust checkout. A phone number tied to a real SIM feels more verified than a throwaway email. For WooCommerce and membership flows, that extra trust signal reduces fake accounts.
- No inbox needed. Some users simply don't check email often. A phone number, they always have on them.
This isn't an argument to drop email — it's an argument to offer both and let each user take the faster path. Magic Link supports email, SMS, and QR login side by side, which is the point: you cover more of your audience with one plugin instead of forcing everyone through a single channel.
How SMS/OTP passwordless login works
The flow is simple from the user's side:
- The user enters their phone number (or, if you allow both, their email) into the login form.
- Magic Link generates a one-time code or link and sends it through your SMS gateway to that number.
- The user reads the code from the text message and enters it — or taps the link.
- Magic Link verifies the code, confirms it hasn't expired or been reused, and logs the user in.
No password is stored, typed, or remembered. The code is single-use and short-lived, so even if someone glances at the screen, it's worthless minutes later. Conceptually it's the same as the email magic link — see the passwordless login guide for the bigger picture — only the delivery channel is SMS instead of email.
What you need
To send codes over SMS, WordPress needs a way to actually deliver a text message. That means two things:
- Magic Link, installed and activated on your WordPress site.
- An SMS gateway / provider account — a service that exposes an API for sending texts (a Twilio-style gateway is the common pattern). You'll get an API key (and usually a sender ID or "from" number) from that provider's dashboard.
The provider is what charges you per message and handles carrier delivery worldwide; Magic Link is what triggers the send and verifies the result. You sign up with the gateway, copy your credentials, and paste them into Magic Link. Exact dashboards differ between providers, so treat the gateway steps below as generic — the principle (get an API key, give it to Magic Link) is the same everywhere.
If you're new to the plugin, start with Getting Started, then come back here.
Step-by-step: set up SMS/OTP login
Step 1: Install Magic Link
Install and activate Magic Link from your WordPress dashboard the way you would any plugin (Plugins → Add New, search, install, activate). The Getting Started doc walks through first-run configuration.
Step 2: Enable the SMS / OTP login method
In Magic Link's settings, turn on the SMS/OTP login method alongside (or instead of) email. Which channels are available and where they live depends on your version — the free vs Pro features page lists what's included so you know what to expect before you dig into the settings.
Step 3: Connect your SMS gateway
This is where the API key from your provider comes in. In Magic Link's SMS settings:
- Choose or configure your SMS gateway.
- Paste in the API key / credentials you copied from the provider's dashboard.
- Add the sender ID or "from" number the provider issued you, if required.
- Save, then send yourself a test message from the settings screen if the option is available.
Keep this generic in your own setup: copy the exact field names from your provider, because Twilio, Vonage, and the rest each label things slightly differently.
Step 4: Set OTP length and expiry
Decide how strong and how short-lived the code should be:
- OTP length — a longer code (6 digits vs 4) is harder to guess. Six is a sensible default.
- Expiry — how long the code stays valid. Short windows (a few minutes) are safer; too short frustrates users who switch apps to read the text. Five to ten minutes is a common balance.
If these exact controls aren't where you expect, check Getting Started and the features page rather than guessing.
Step 5: Place the login form
Add the login form to a page so users can actually reach it. Magic Link provides a shortcode for this — drop it into any page, post, or widget. The shortcode login form doc covers the shortcode and its options, including how to present the phone-number field.
Step 6: Test the full flow
Open the page in an incognito window, enter a real phone number you control, and confirm:
- The text message arrives.
- The code logs you in when entered correctly.
- An expired or wrong code is rejected.
- If you offer email too, that path still works.
If something doesn't fire — no message, code rejected, gateway error — the troubleshooting guide is the place to start, since most issues trace back to gateway credentials or delivery, not WordPress itself.
Security: keep OTP login safe
A one-time code is only as secure as the controls around it. SMS OTP is a real authentication factor, but an unprotected code endpoint is something attackers will probe. Magic Link includes the guardrails that matter:
- Rate-limiting and throttling. Without limits, an attacker can request codes in bulk or hammer the verify endpoint trying every 4- or 6-digit combination. Throttling caps how many codes can be requested and how many verify attempts are allowed before the flow is locked, which is what makes short numeric OTPs safe to use.
- Brute-force protection. Repeated failed attempts get blocked rather than allowed to continue indefinitely.
- IP and domain restriction. You can restrict where login requests are accepted from, narrowing the attack surface for high-value sites.
These aren't optional niceties for an OTP system — they're the difference between "a code texted to a phone" and "a code anyone can guess." Configure them when you enable SMS login, not later.
A note on cost
Email is effectively free to send; SMS is not. Every text goes through your gateway, and the gateway charges per message — rates vary by country and can be meaningfully higher for international numbers. Plan for that:
- Offer email as the default and SMS as an option, so you only pay for SMS when a user chooses it.
- Keep throttling on — it caps abuse, but it also caps your bill if someone tries to spam code requests.
- Check your provider's per-country pricing before launching to an international audience.
For most sites the cost is small and worth it for the conversion lift on mobile, but it's a real line item, unlike email login.
Beyond SMS: the rest of the passwordless toolkit
SMS is one channel. Magic Link also does email-based login without a password, QR-code login for cross-device sign-in, and WooCommerce passwordless login for stores. It works with WooCommerce and EDD, and supports role-based redirects so customers, members, and admins each land where they should after signing in. You can manage and audit every issued link from one place — see Manage Magic Links.
Conclusion
Adding WordPress SMS login isn't about replacing email — it's about meeting more of your audience where they actually are. Mobile-first users, regions where email is unreliable, and trust-sensitive checkouts all convert better with a code texted to a phone than with a link buried in an inbox. With Magic Link you install the plugin, enable the SMS/OTP method, connect an SMS gateway with your API key, set a sensible code length and expiry, drop in the login form, and test. Turn on throttling and IP restriction so codes can't be brute-forced, budget for the per-message cost, and you've got a fast, secure, password-free login that works for users who never open their email.
FAQs
Do I need a paid SMS service to use SMS login?
Yes — sending a text requires an SMS gateway, and gateways charge per message. Magic Link triggers and verifies the OTP, but the actual delivery (and the bill) goes through a provider account you connect with an API key.
Is OTP login secure?
It is, when the code is short-lived, single-use, and protected by throttling. Magic Link's rate-limiting, brute-force protection, and IP/domain restriction stop attackers from guessing codes or spamming requests, which is what makes a 6-digit OTP a safe factor.
Can I offer both email and SMS login?
Yes. Magic Link supports email, SMS, and QR login together. A common setup is email as the default with SMS as an option, so each user takes the faster channel and you only pay for SMS when it's used. See the passwordless login guide.
Does SMS login work with international numbers?
That depends on your SMS gateway — most support international delivery, but per-message rates are usually higher outside your home country. Check your provider's per-country pricing before opening SMS login to a global audience.
How long is the OTP code valid?
You set the expiry. A few minutes is the usual balance — long enough that a user can switch apps to read the text, short enough that an exposed code is useless soon after. Pair a short expiry with throttling for the best security.